|
Description:
This worm drops a copy of itself as XDCC.EXE on target shares. If the said shares are inaccessible, it either uses cached or hardcoded list of user names and passwords as its login credential to gain access.
It may also spread by taking advantage of the following Windows exploits:
- Buffer Overflow in SQL Server 2000, which is a vulnerability that allows a low-level user to run, delete, insert or update Web tasks. In turn, an attacker who is able to authenticate to a SQL server may do the same actions, and run already created Web tasks in the context of the creator of that task. More information on this vulnerability is found in Microsoft Security Bulletin MS02-061.
- The RPC/DCOM vulnerability, which allows an attacker to gain full access and execute any code on a target machine by sending a malformed packet to the DCOM service. It uses the RPC TCP port 135. More information on this vulnerability is found in Microsoft Security Bulletin MS03-026.
- The Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables a malicious user to gain full control of the affected system. This vulnerability is discussed in detail in Microsoft Bulletin MS04-011 and Trend Micro's Vulnerability Description for MS04-011.
This worm comes with a built-in IRC client, which allows it to connect to an IRC channel. It opens a random port and enables a remote malicious user to perform commands locally on affected machines. It also steals CD keys of popular games installed on the said machines.
For additional information about this threat, see:
Solution
Technical Details
Description created: Feb. 16, 2005 11:20:17 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
